0% found this document useful (0 votes)
23 views28 pages

Threats in Network

university lecture/study notes in Information Systems: IT systems and business organizations

Uploaded by

Martin Otieno
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
23 views28 pages

Threats in Network

university lecture/study notes in Information Systems: IT systems and business organizations

Uploaded by

Martin Otieno
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 28

THREATS IN NETWORK

Main aims of threats are to compromise confidentiality, integrity applied against data,

software, hardware by nature accidents, non-malicious humans and malicious attackers.

What Makes A Network Vulnerable?

1. Anonymity

2. Many Points Of Attack

3. Sharing

4. Complexity Of System

Threat Precursors:

1. Port scan

2. Social Engineering

3. Reconnaissance

4. Operating System and Application fingerprinting

5. Bulletin Boards and chats

6. Availability of Documentation

Threats In Transit: Eavesdropping and Wiretapping

The term eavesdrop implies overhearing without expanding any extra effort. For example we

can say that an attacker is eavesdropping by monitoring all traffic passing through a node.

The more hostile term is wiretap, which means intercepting communication through some

effort.

Choices of wiretapping are:

1. Cable

2. Microwave

3. Satellite Communication
4. Optical Fiber

5. Wireless

From, a security stand point we should assume all communication links between network

nodes that can broken. For this reason commercial network users employ encryption to

protect the confidentiality of their communication.

Protocol Flaws:

Each protocol is identified by its Request For Comment (RFC) number. In TCP, the sequence

number of the client increments regularly which can be easily guessed and also which will be

the next number.

Impersonation:

In many instances, there is an easier way than wiretapping for obtaining information on a

network: impersonate another person or process.

In impersonation, an attacker has several choices:

 Guess the identity and authentication details of the target


 Disable authentication mechanism at the target computer
 Use a target that will not be authenticated
 Use a target whose authentication data are known

Spoofing:

Obtaining the network authentication credentials of an entity(a user, an account, a process, a

node, a device) permits an attacker to create a full communication under the entity’s identity.

Examples of spoofing are masquerading, session hijacking, and man-in-the-middle attacks.

 In a masquerade one host pretends to be another.


 Session hijacking is intercepting and carrying on a session begun by another entity.
 Man-in-the-middle attack is a similar form of attack, in which one entity intrudes
between two others.
Message Confidentiality Threats:

An attacker can easily violate message confidentiality (and perhaps integrity) because of the

public nature of networks. Eavesdropping and impersonation attacks can lead to a

confidentiality or integrity failure. Here we consider several other vulnerabilities that can

affect confidentiality.

1. Misdelivery

2. Exposure

3. Traffic Flow Analysis

Message Integrity Threats:

In many cases, the integrity or correctness of a communication is at least as important as its

confidentiality. In fact for some situations, such as passing authentication data, the integrity

of the communication is paramount. Threats based upon failures of integrity in communication

 Falsification of messages
 Noise

Web Site Defacement:

One of the most widely known attacks is the web site defacement attack. Because of the large

number of sites that have been defaced and the visibility of the result, the attacks are often

reported in the popular press. A defacement is common not only because of its visibility but

also because of the ease with which one can be done.

The website vulnerabilities enable attacks known as buffer overflows, dotdot problems,
application code errors, and server side include problems.

Denial of Service:

Availability attacks, sometimes called denial-of-service or DOS attacks, are much more

significant in networks than in other contexts. There are many accidental and malicious

threats to availability or continued service. There are many accidental and malicious threats
to availability or continued service.

1) Transmission Failure

2) Connection Flooding

3) Echo-Chargen

4) Ping of Death

5) Smurf

6) Syn Flood

7) Teardrop

8) Traffic Redirection

9) DNS Attacks

Threats in Active or Mobile Code:

Active code or mobile code is a general name for code that is pushed to the client for

execution. Why should the web server waste its precious cycles and bandwidth doing simple

work that the client's workstation can do? For example, suppose you want your web site to

have bears dancing across the top of the page. To download the dancing bears, you could

download a new image for each movement the bears take: one bit forward, two bits forward,

and so forth. However, this approach uses far too much server time and bandwidth to

compute the positions and download new images. A more efficient use of (server) resources

is to download a program that runs on the client's machine and implements the movement of

the bears.

Network Security Controls

The list of security attacks is long, and the news media carry frequent accounts of serious
security incidents.

Security Threat Analysis:


The three steps of a security threat analysis in other situations are described here. First, we
scrutinize all the parts of a system so that we know what each part does and how it interacts
with other parts. Next, we consider possible damage to confidentiality, integrity, and
availability. Finally, we hypothesize the kinds of attacks that could cause this damage. We can
take the same steps with a network. We begin by looking at the individual parts of a network:

All the threats are summarized with a list as

 Intercepting data in traffic


 Accessing programs or data at remote hosts
 Modifying programs or data at remote hosts
 Modifying data in transit
 Inserting communications
 Impersonating a user
 Inserting a repeat of a previous communication
 Blocking selected traffic
 Blocking all traffic
 Running a program at a remote host

Design and Implementation:

Architecture:

As with so many of the areas we have studied, planning can be the strongest control. In
particular, when we build or modify computer-based systems, we can give some thought to
their overall architecture and plan to "build in" security as one of the key constructs.

Similarly, the architecture or design of a network can have a significant effect on its security.
The main areas to cover are

 Segmentation
 Redundancy
 Single point of failure
 Mobile agents

Encryption:

Encryption is powerful for providing privacy, authenticity, integrity, and limited access to data.
Because networks often involve even greater risks, they often secure data with encryption,
perhaps in combination with other controls. There are 2 types of encryption scheme exists:
 Link encryption (data are encrypted just before the system places them on the physical
communications link)
 End-to-end encryption (provides security from one end of a transmission to the other)

Content Integrity:

Content integrity comes as a bonus with cryptography. No one can change encrypted data in a
meaningful way without breaking the encryption. This does not say, however, that encrypted
data cannot be modified. Changing even one bit of an encrypted data stream affects the result
after decryption, often in a way that seriously alters the resulting plaintext. We need to
consider three potential threats:

 Malicious modification that changes content in a meaningful way


 Malicious or non-malicious modification that changes content in a way that is not
necessarily meaningful
 Non-malicious modification that changes content in a way that will not be detected

Encryption addresses the first of these threats very effectively. To address the others, we can
use other controls.

Strong Authentication:

In the network case, however, authentication may be more difficult to achieve securely because
of the possibility of eavesdropping and wiretapping, which are less common in non-networked
environments. Also, both ends of a communication may need to be authenticated to each
other.

Here the main issues are

 One time password


 Challenge response systems
 Digital distributed authentication

Access Controls:

Authentication deals with the who of security policy enforcement; access controls enforce the
what and how.

ACLs on Routers

Routers perform the major task of directing network traffic either to sub-networks they control
or to other routers for subsequent delivery to other sub-networks.
Routers convert external IP addresses into internal MAC addresses of hosts on a local sub-
network.

Suppose a host is being spammed (flooded) with packets from a malicious rogue host.

Routers can be configured with access control lists to deny access to particular hosts from
particular hosts.

So, a router could delete all packets with a source address of the rogue host and a destination
address of the target host.

Alarms and Alerts:

The logical view of network protection looks like the figure below, in which both a router and a
firewall provide layers of protection for the internal network. Now let us add one more layer to
this defense.

Fig. Layered network protection

Honey Pot: (A computer system open for attackers)

A honey pot has no special features. It is just a computer system or a network segment, loaded
with servers and devices and data. It may be protected with a firewall, although you want the
attackers to have some access. There may be some monitoring capability, done carefully so that
the monitoring is not evident to the attacker.

We put up a honey pot for several reasons:

 To watch what attackers do, in order to learn about new attacks (so that you can
strengthen your defenses against these new attacks)
 To lure an attacker to a place in which you may be able to learn enough to identify and
stop the attacker
 To provide an attractive but diversionary playground, hoping that the attacker will leave
your real system alone

Firewalls
Firewalls were officially invented in the early 1990s, but the concept really reflects the

reference monitor from two decades earlier.

What is a Firewall?

A firewall is a device that filters all traffic between a protected or "inside" network and a less

trustworthy or "outside" network. Usually a firewall runs on a dedicated device; because it is

a single point through which traffic is channeled, performance is important, which means

non-firewall functions should not be done on the same machine. Because a firewall is

executable code, an attacker could compromise that code and execute from the firewall's

device. Thus, the fewer pieces of code on the device, the fewer tools the attacker would have

by compromising the firewall. Firewall code usually runs on a proprietary or carefully

minimized operating system. The purpose of a firewall is to keep "bad" things outside a

protected environment. To accomplish that, firewalls implement a security policy that is

specifically designed to address what bad things might happen. For example, the policy might

be to prevent any access from outside (while still allowing traffic to pass from the inside to

the outside). Alternatively, the policy might permit accesses only from certain places, from

certain users, or for certain activities. Part of the challenge of protecting a network with a

firewall is determining which security policy meets the needs of the installation.

Design of Firewalls:

A reference monitor must be

 Always invoked
 Tamperproof
 Small and simple enough for rigorous analysis

A firewall is a special form of reference monitor. By carefully positioning a firewall within a

network, we can ensure that all network accesses that we want to control must pass through

it. This restriction meets the "always invoked" condition.


A firewall is typically well isolated, making it highly immune to modification.

Usually a firewall is implemented on a separate computer, with direct connections only to the
outside and inside networks. This isolation is expected to meet the "tamperproof" requirement.
And firewall designers strongly recommend keeping the functionality of the firewall simple.

Types of Firewalls:

Firewalls have a wide range of capabilities. Types of firewalls include

 Packet filtering gateways or screening routers


 Stateful inspection firewalls
 Application proxie
 Guards
 Personal firewalls

Packet Filtering Gateway:

A packet filtering gateway or screening router is the simplest, and in some situations, the

most effective type of firewall. A packet filtering gateway controls access to packets on the

basis of packet address (source or destination) or specific transport protocol type (such as

HTTP web traffic). As described earlier in this chapter, putting ACLs on routers may

severely impede their performance. But a separate firewall behind (on the local side) of the

router can screen traffic before it gets to the protected network. Figure 7-34 shows a packet

filter that blocks access from (or to) addresses in one network; the filter allows HTTP traffic

but blocks traffic using the Telnet protocol.

Stateful Inspection Firewall:

Filtering firewalls work on packets one at a time, accepting or rejecting each packet and

moving on to the next. They have no concept of "state" or "context" from one packet to the

next. A stateful inspection firewall maintains state information from one packet to another in

the input stream.

One classic approach used by attackers is to break an attack into multiple packets by
forcing some packets to have very short lengths so that a firewall cannot detect the signature

of an attack split across two or more packets. (Remember that with the TCP protocols,

packets can arrive in any order, and the protocol suite is responsible for reassembling the

packet stream in proper order before passing it along to the application.) A stateful inspection

firewall would track the sequence of packets and conditions from one packet to another to

thwart such an attack.

Application Proxy

Packet filters look only at the headers of packets, not at the data inside the packets. Therefore,

a packet filter would pass anything to port 25, assuming its screening rules allow inbound

connections to that port. But applications are complex and sometimes contain errors. Worse,

applications (such as the e-mail delivery agent) often act on behalf of all users, so they

require privileges of all users (for example, to store incoming mail messages so that inside

users can read them). A flawed application, running with all users' privileges, can cause much

damage. An application proxy gateway, also called a bastion host, is a firewall that simulates

the (proper) effects of an application so that the application receives only requests to act

properly. A proxy gateway is a two-headed device: It looks to the inside as if it is the outside

(destination) connection, while to the outside it responds just as the insider would.

An application proxy runs pseudo-applications. For instance, when electronic

mail is transferred to a location, a sending process at one site and a receiving process at the

destination communicate by a protocol that establishes the legitimacy of a mail transfer and

then actually transfers the mail message. The protocol between sender and destination is

carefully defined. A proxy gateway essentially intrudes in the middle of this protocol

exchange, seeming like a destination in communication with the sender that is outside the

firewall, and seeming like the sender in communication with the real destination on the
inside. The proxy in the middle has the opportunity to screen the mail transfer, ensuring that

only acceptable e-mail protocol commands are sent to the destination.

Guard:

A guard is a sophisticated firewall. Like a proxy firewall, it receives protocol data units,

interprets them, and passes through the same or different protocol data units that achieve

either the same result or a modified result. The guard decides what services to perform on the

user's behalf in accordance with its available knowledge, such as whatever it can reliably

know of the (outside) user's identity, previous interactions, and so forth. The degree of

control a guard can provide is limited only by what is computable. But guards and proxy

firewalls are similar enough that the distinction between them is sometimes fuzzy. That is, we

can add functionality to a proxy firewall until it starts to look a lot like a guard.

Personal Firewalls:

A personal firewall is an application program that runs on a workstation to block unwanted

traffic, usually from the network. A personal firewall can complement the work of a

conventional firewall by screening the kind of data a single host will accept, or it can

compensate for the lack of a regular firewall, as in a private DSL or cable modem connection.

The personal firewall is configured to enforce some policy. For example, the user

may decide that certain sites, such as computers on the company network, are highly

trustworthy, but most other sites are not. The user defines a policy permitting download of

code, unrestricted data sharing, and management access from the corporate segment, but not

from other sites. Personal firewalls can also generate logs of accesses, which can be useful to

examine in case something harmful does slip through the firewall.

A personal firewall runs on the very computer it is trying to protect. Thus, a

clever attacker is likely to attempt an undetected attack that would disable or reconfigure the
firewall for the future. Still, especially for cable modem, DSL, and other "always on"

connections, the static workstation is a visible and vulnerable target for an ever-present attack

community. A personal firewall can provide reasonable protection to clients that are not

behind a network firewall.

Comparison of Firewall types:

When comparing firewalls, you can consider things like:

 Type: There are several types of firewalls, including circuit-level gateways, stateful
inspection firewalls, and packet filtering firewalls.

 Security level: How well the firewall protects against security threats

 Rule definition: How the firewall defines rules

 Resource usage: How much resources the firewall uses

 Performance speed: How fast the firewall is

 Cost: How much it costs to start and maintain the firewall


Intrusion Detection System:

An intrusion detection system (IDS) is a device, typically another separate computer, that

monitors activity to identify malicious or suspicious events. An IDS is a sensor, like a smoke

detector, that raises an alarm if specific things occur. A model of an IDS is shown in below

figure. The components in the figure are the four basic elements of an intrusion detection

system, based on the Common Intrusion Detection Framework of [STA96]. An IDS receives
raw inputs from sensors. It saves those inputs, analyzes them, and takes some controlling

action.

Types of IDSs

The two general types of intrusion detection systems are signature based and heuristic.

Signature-based intrusion detection systems perform simple pattern-matching and report

situations that match a pattern corresponding to a known attack type. Heuristic intrusion

detection systems, also known as anomaly based, build a model of acceptable behavior and

flag exceptions to that model; for the future, the administrator can mark a flagged behavior as

acceptable so that the heuristic IDS will now treat that previously unclassified behavior as

acceptable.

Intrusion detection devices can be network based or host based. A network-based

IDS is a stand-alone device attached to the network to monitor traffic throughout that

network; a host-based IDS runs on a single workstation or client or host, to protect that one

host.

Signature-Based Intrusion Detection:

A simple signature for a known attack type might describe a series of TCP SYN packets sent

to many different ports in succession and at times close to one another, as would be the case

for a port scan. An intrusion detection system would probably find nothing unusual in the

first SYN, say, to port 80, and then another (from the same source address) to port 25. But as

more and more ports receive SYN packets, especially ports that are not open, this pattern

reflects a possible port scan. Similarly, some implementations of the protocol stack fail if

they receive an ICMP packet with a data length of 65535 bytes, so such a packet would be a

pattern for which to watch.


Heuristic Intrusion Detection:

Because signatures are limited to specific, known attack patterns, another form of intrusion

detection becomes useful. Instead of looking for matches, heuristic intrusion detection looks

for behavior that is out of the ordinary. The original work in this area focused on the

individual, trying to find characteristics of that person that might be helpful in understanding

normal and abnormal behavior. For example, one user might always start the day by reading

e-mail, write many documents using a word processor, and occasionally back up files. These

actions would be normal. This user does not seem to use many administrator utilities. If that

person tried to access sensitive system management utilities, this new behavior might be a

clue that someone else was acting under the user's identity.

Inference engines work in two ways. Some, called state-based intrusion detection

systems, see the system going through changes of overall state or configuration. They try to

detect when the system has veered into unsafe modes. Others try to map current activity onto

a model of unacceptable activity and raise an alarm when the activity resembles the model.

These are called model-based intrusion detection systems. This approach has been extended

to networks in [MUK94]. Later work sought to build a dynamic model of behavior, to

accommodate variation and evolution in a person's actions over time. The technique

compares real activity with a known representation of normality.

Alternatively, intrusion detection can work from a model of known bad activity.

For example, except for a few utilities (login, change password, create user), any other

attempt to access a password file is suspect. This form of intrusion detection is known as

misuse intrusion detection. In this work, the real activity is compared against a known

suspicious area.
Stealth Mode:

An IDS is a network device (or, in the case of a host-based IDS, a program running on a

network device). Any network device is potentially vulnerable to network attacks. How

useful would an IDS be if it itself were deluged with a denial-of-service attack? If an attacker

succeeded in logging in to a system within the protected network, wouldn't trying to disable

the IDS be the next step?

To counter those problems, most IDSs run in stealth mode, whereby an IDS has two

network interfaces: one for the network (or network segment) being monitored and the other

to generate alerts and perhaps other administrative needs. The IDS uses the monitored

interface as input only; it never sends packets out through that interface. Often, the interface

is configured so that the device has no published address through the monitored interface;

that is, a router cannot route anything to that address directly, because the router does not

know such a device exists. It is the perfect passive wiretap. If the IDS needs to generate an

alert, it uses only the alarm interface on a completely separate control network.

Goals for Intrusion Detection Systems:

1. Responding to alarms:

Whatever the type, an intrusion detection system raises an alarm when it finds a match. The
alarm can range from something modest, such as writing a note in an audit log, to something
significant, such as paging the system security administrator. Particular implementations allow
the user to determine what action the system should take on what events.

In general, responses fall into three major categories (any or all of which can be used in a single
response):

 Monitor, collect data, perhaps increase amount of data collected


 Protect, act to reduce exposure
 Call a human
2. False Results:

Intrusion detection systems are not perfect, and mistakes are their biggest problem. Although

an IDS might detect an intruder correctly most of the time, it may stumble in two different

ways: by raising an alarm for something that is not really an attack (called a false positive, or

type I error in the statistical community) or not raising an alarm for a real attack (a false

negative, or type II error). Too many false positives means the administrator will be less

confident of the IDS's warnings, perhaps leading to a real alarm's being ignored. But false

negatives mean that real attacks are passing the IDS without action. We say that the degree of

false positives and false negatives represents the sensitivity of the system. Most IDS

implementations allow the administrator to tune the system's sensitivity, to strike an

acceptable balance between false positives and negatives.

IDS strength and limitations:

On the upside, IDSs detect an ever-growing number of serious problems. And as we learn

more about problems, we can add their signatures to the IDS model. Thus, over time, IDSs

continue to improve. At the same time, they are becoming cheaper and easier to administer.

On the downside, avoiding an IDS is a first priority for successful attackers. An IDS that is

not well defended is useless. Fortunately, stealth mode IDSs are difficult even to find on an

internal network, let alone to compromise. IDSs look for known weaknesses, whether

through patterns of known attacks or models of normal behavior. Similar IDSs may have

identical vulnerabilities, and their selection criteria may miss similar attacks. Knowing how

to evade a particular model of IDS is an important piece of intelligence passed within the

attacker community. Of course, once manufacturers become aware of a shortcoming in their

products, they try to fix it. Fortunately, commercial IDSs are pretty good at identifying

attacks. Another IDS limitation is its sensitivity, which is difficult to measure and adjust.
IDSs will never be perfect, so finding the proper balance is critical.

In general, IDSs are excellent additions to a network's security. Firewalls block traffic to
particular ports or addresses; they also constrain certain protocols to limit their impact. But by
definition, firewalls have to allow some traffic to enter a protected area.

Watching what that traffic actually does inside the protected area is an IDS's job, which it does
quite well.

Secure Email:

We rely on e-mail's confidentiality and integrity for sensitive and important communications,
even though ordinary e-mail has almost no confidentiality or integrity. Here we investigate how
to add confidentiality and integrity protection to ordinary e-mail.

Sometimes we would like e-mail to be more secure. To define and implement a more secure
form, we begin by examining the exposures of ordinary e-mail.

Threats to E-mail

 Message interception (confidentiality)


 Message interception (blocked delivery)
 Message interception and subsequent replay
 Message content modification
 Message origin modification
 Message content forgery by outsider
 Message origin forgery by outsider
 Message content forgery by recipient
 Message origin forgery by recipient
 Denial of message transmission

Requirements and solutions:

Following protections must be taken for protection in emails

 Message confidentiality (the message is not exposed en route to the receiver)


 Message integrity (what the receiver sees is what was sent)
 Sender authenticity (the receiver is confident who the sender was)
 Non repudiation (the sender cannot deny having sent the message)

Designs:
One of the design goals for encrypted e-mail was allowing security-enhanced messages to
travel as ordinary messages through the existing Internet e-mail system. This requirement
ensures that the large existing e-mail network would not require change to accommodate
security. Thus, all protection occurs within the body of a message.

Confidentiality:

The encrypted e-mail standard works most easily as just described, using both symmetric and
asymmetric encryption. The standard is also defined for symmetric encryption only.

Encryption of secure e-mail:

Encrypted e-mail provides strong end-to-end security for electronic mail. Triple DES, AES and
RSA cryptography are quite strong, especially if RSA is used with a long bit key (1024 bits or
more). The vulnerabilities remaining with encrypted e-mail come from the points not covered:
the endpoints. An attacker with access could subvert a sender's or receiver's machine,
modifying the code that does the privacy enhancements or arranging to leak a cryptographic
key.

Examples of Secure E-mail:

 PGP (Pretty Good Privacy)


 S/MIME (Secure Multipurpose Internet Mail Extensions)

EXERCISES

1. The FTP protocol is relatively easy to proxy; the firewall decides, for example,

whether an outsider should be able to access a particular directory in the file system

and issues a corresponding command to the inside file manager or responds

negatively to the outsider. Other protocols are not feasible to proxy.

List three protocols that it would be prohibitively difficult or impossible to proxy.

Explain your answer.

2. How would the content of the audit log differ for a screening router versus an

application proxy firewall?

3. Cite a reason why an organization might want two or more firewalls on a single
network.

4. Firewalls are targets for penetrators. Why are there few compromises of firewalls?

5. Should a network administrator put a firewall in front of a honey pot? Why or why

not?

6. Can a firewall block attacks using server scripts, such as the attack in which the user

could change a price on an item offered by an e-commerce site? Why or why not?

7. Why does a stealth mode IDS need a separate network to communicate alarms and to

accept management commands?

8. One form of IDS starts operation by generating an alert for every action. Over time,

the administrator adjusts the setting of the IDS so that common, benign activities do

not generate alarms. What are the advantages and disadvantages of this design for an

IDS?

9. Can encrypted e-mail provide verification to a sender that a recipient has read an email
message? Why or why not?

10. Can message confidentiality and message integrity protection be applied to the same

message? Why or why not?

11. What are the advantages and disadvantages of an e-mail program that automatically

applies and removes protection to e-mail messages between sender and receiver?

Introduction of Firewall in Computer Network

In the world of computer networks, a firewall acts like a security guard. Its job is to watch over
the flow of information between your computer or network and the internet. It’s designed to
block unauthorized access while allowing safe data to pass through.

Essentially, a firewall helps keep your digital world safe from unwanted visitors and potential
threats, making it an essential part of today’s connected environment. It monitors both
incoming and outgoing traffic using a predefined set of security to detect and prevent threats.

What is Firewall?
A firewall is a network security device, either hardware or software-based, which monitors all
incoming and outgoing traffic and based on a defined set of security rules accepts, rejects, or
drops that specific traffic.

 Accept: allow the traffic

 Reject: block the traffic but reply with an “unreachable error”

 Drop: block the traffic with no reply

A firewall is a type of network security device that filters incoming and outgoing network traffic
with security policies that have previously been set up inside an organization. A firewall is
essentially the wall that separates a private internal network from the open Internet at its very
basic level.

History and Need For Firewall

Before Firewalls, network security was performed by Access Control Lists (ACLs) residing on
routers. ACLs are rules that determine whether network access should be granted or denied to
specific IP address. But ACLs cannot determine the nature of the packet it is blocking. Also, ACL
alone does not have the capacity to keep threats out of the network. Hence, the Firewall was
introduced. Connectivity to the Internet is no longer optional for organizations. However,
accessing the Internet provides benefits to the organization; it also enables the outside world to
interact with the internal network of the organization. This creates a threat to the organization.
In order to secure the internal network from unauthorized traffic, we need a Firewall.

Working of Firewall

Firewall match the network traffic against the rule set defined in its table. Once the rule is
matched, associate action is applied to the network traffic. For example, Rules are defined as
any employee from Human Resources department cannot access the data from code server and
at the same time another rule is defined like system administrator can access the data from
both Human Resource and technical department. Rules can be defined on the firewall based on
the necessity and security policies of the organization. From the perspective of a server,
network traffic can be either outgoing or incoming.

Firewall maintains a distinct set of rules for both the cases. Mostly the outgoing traffic,
originated from the server itself, allowed to pass. Still, setting a rule on outgoing traffic is always
better in order to achieve more security and prevent unwanted communication. Incoming
traffic is treated differently. Most traffic which reaches on the firewall is one of these three
major Transport Layer protocols- TCP, UDP or ICMP. All these types have a source address and
destination address. Also, TCP and UDP have port numbers. ICMP uses type code instead of port
number which identifies purpose of that packet.

Default policy: It is very difficult to explicitly cover every possible rule on the firewall. For this
reason, the firewall must always have a default policy. Default policy only consists of action
(accept, reject or drop). Suppose no rule is defined about SSH connection to the server on the
firewall. So, it will follow the default policy. If default policy on the firewall is set to accept, then
any computer outside of your office can establish an SSH connection to the server. Therefore,
setting default policy as drop (or reject) is always a good practice.

Types of Firewall

Firewalls can be categorized based on their generation.

1. Packet Filtering Firewall

Packet filtering firewall is used to control network access by monitoring outgoing and incoming
packets and allowing them to pass or stop based on source and destination IP address,
protocols, and ports. It analyses traffic at the transport protocol layer (but mainly uses first 3
layers). Packet firewalls treat each packet in isolation. They have no ability to tell whether a
packet is part of an existing stream of traffic. Only It can allow or deny the packets based on
unique packet headers. Packet filtering firewall maintains a filtering table that decides whether
the packet will be forwarded or discarded. From the given filtering table, the packets will be
filtered according to the following rules:
 Incoming packets from network 192.168.21.0 are blocked.

 Incoming packets destined for the internal TELNET server (port 23) are blocked.

 Incoming packets destined for host 192.168.21.3 are blocked.

 All well-known services to the network 192.168.21.0 are allowed.

2. Stateful Inspection Firewall

Stateful firewalls (performs Stateful Packet Inspection) are able to determine the connection
state of packet, unlike Packet filtering firewall, which makes it more efficient. It keeps track of
the state of networks connection travelling across it, such as TCP streams. So the filtering
decisions would not only be based on defined rules, but also on packet’s history in the state
table.

3. Software Firewall

A software firewall is any firewall that is set up locally or on a cloud server. When it comes to
controlling the inflow and outflow of data packets and limiting the number of networks that can
be linked to a single device, they may be the most advantageous. But the problem with
software firewall is they are time-consuming.

4. Hardware Firewall

They also go by the name “firewalls based on physical appliances.” It guarantees that the
malicious data is halted before it reaches the network endpoint that is in danger.

5. Application Layer Firewall

Application layer firewall can inspect and filter the packets on any OSI layer, up to the
application layer. It has the ability to block specific content, also recognize when certain
application and protocols (like HTTP, FTP) are being misused. In other words, Application layer
firewalls are hosts that run proxy servers. A proxy firewall prevents the direct connection
between either side of the firewall, each packet has to pass through the proxy.

6. Next Generation Firewalls (NGFW)

NGFW consists of Deep Packet Inspection, Application Inspection, SSL/SSH inspection and many
functionalities to protect the network from these modern threats.

7. Proxy Service Firewall

This kind of firewall filters communications at the application layer, and protects the network. A
proxy firewall acts as a gateway between two networks for a particular application.

8. Circuit Level Gateway Firewall

This works as the Sessions layer of the OSI Model’s . This allows for the simultaneous setup of
two Transmission Control Protocol (TCP) connections. It can effortlessly allow data packets to
flow without using quite a lot of computing power. These firewalls are ineffective because they
do not inspect data packets; if malware is found in a data packet, they will permit it to pass
provided that TCP connections are established properly.

Functions of Firewall

 Every piece of data that enters or leaves a computer network must go via the firewall.

 If the data packets are safely routed via the firewall, all of the important data remains
intact.

 A firewall logs each data packet that passes through it, enabling the user to keep track
of all network activities.

 Since the data is stored safely inside the data packets, it cannot be altered.

 Every attempt for access to our operating system is examined by our firewall, which also
blocks traffic from unidentified or undesired sources.

Who Invented Firewalls?

The firewall keeps changing and getting better because different people have been working on
it since the late 1980s to the mid-90s. Each person added new parts and improved versions of
the firewall before it became what we use in modern times. This means the firewall is always
evolving to become more effective and secure.
Jeff Mogul, Paul Vixie, and Brian Reid

In the late 1980s, Mogul, Reid, and Vixie worked at Digital Equipment Corp (DEC) on packet-
filtering technology. This tech became important for future firewalls. They started the idea of
checking external connections before they reach computers on an internal network. Some
people think this packet filter was the first firewall, but it was really a part of the technology
that later became true firewall systems.

Kshitiji Nigam, William Cheswick, David Presotto, Steven Bellovin, and Janardan Sharma

In the late 1980s to early 1990s, researchers at AT&T Bell Labs worked on a new type of firewall
called the circuit-level gateway. Unlike earlier methods, this firewall didn’t need to reauthorize
connections for each data packet but instead vetted and allowed ongoing connections. From
1989 to 1990, Presotto, Sharma, and Nigam developed this technology, and in 1991, Cheswick
and Bellovin continued to advance firewall technology based on their work.

Marcus Ranum

From 1991 to 1992, Ranum introduced security proxies at DEC, which became a crucial part of
the first application-layer firewall product. Known as the Secure External Access Link (SEAL)
product, it was based on earlier work by Reid, Vixie, and Mogul at DEC. SEAL marked the first
commercially available firewall, pioneering the way for enhanced network security through
application-level protection.

Gil Shwed and Nir Zuk

From 1993 to 1994, at Check Point, Gil Shwed and developer Nir Zuk made major contributions
to creating the first widely-used and easy-to-use firewall product called Firewall-1. Gil Shwed
pioneered stateful inspection technology, filing a U.S. patent in 1993. Following this, Nir Zuk
developed a user-friendly graphical interface for Firewall-1 in 1994. These innovations were
pivotal in making firewalls accessible and popular among businesses and homes, shaping their
adoption for years to come.

Importance of Firewalls

So, what does a firewall do and why is it important? Without protection, networks are
vulnerable to any traffic trying to access your systems, whether it’s harmful or not. That’s why
it’s crucial to check all network traffic.

When you connect personal computers to other IT systems or the internet, it opens up many
benefits like collaboration, resource sharing, and creativity. But it also exposes your network
and devices to risks like hacking, identity theft, malware, and online fraud.
Once a malicious person finds your network, they can easily access and threaten it, especially
with constant internet connections.

Using a firewall is essential for proactive protection against these risks. It helps users shield
their networks from the worst dangers.

What Does Firewall Security Do?

A firewall serves as a security barrier for a network, narrowing the attack surface to a single
point of contact. Instead of every device on a network being exposed to the internet, all traffic
must first go through the firewall. This way, the firewall can filter and block non-permitted
traffic, whether it’s coming in or going out. Additionally, firewalls help create a record of
attempted connections, improving security awareness.

What Can Firewalls Protect Against?

 Infiltration by Malicious Actors: Firewalls can block suspicious connections, preventing


eavesdropping and advanced persistent threats (APTs).

 Parental Controls: Parents can use firewalls to block their children from accessing
explicit web content.

 Workplace Web Browsing Restrictions: Employers can restrict employees from using
the company network to access certain services and websites, like social media.

 Nationally Controlled Intranet: Governments can block access to certain web content
and services that conflict with national policies or values.

By allowing network owners to set specific rules, firewalls offer customizable protection for
various scenarios, enhancing overall network security.

Advantages of Using Firewall

 Protection From Unauthorized Access: Firewalls can be set up to restrict incoming


traffic from particular IP addresses or networks, preventing hackers or other malicious
actors from easily accessing a network or system. Protection from unwanted access.

 Prevention of Malware and Other Threats: Malware and other threat prevention:
Firewalls can be set up to block traffic linked to known malware or other security
concerns, assisting in the defense against these kinds of attacks.
 Control of Network Access: By limiting access to specified individuals or groups for
particular servers or applications, firewalls can be used to restrict access to particular
network resources or services.

 Monitoring of Network Activity: Firewalls can be set up to record and keep track of all
network activity.

 Regulation Compliance: Many industries are bound by rules that demand the usage of
firewalls or other security measures.

 Network Segmentation: By using firewalls to split up a bigger network into smaller


subnets, the attack surface is reduced and the security level is raised.

Disadvantages of Using Firewall

 Complexity: Setting up and keeping up a firewall can be time-consuming and difficult,


especially for bigger networks or companies with a wide variety of users and devices.

 Limited Visibility: Firewalls may not be able to identify or stop security risks that
operate at other levels, such as the application or endpoint level, because they can only
observe and manage traffic at the network level.

 False Sense of Security: Some businesses may place an excessive amount of reliance on
their firewall and disregard other crucial security measures like endpoint security or
intrusion detection systems.

 Limited adaptability: Because firewalls are frequently rule-based, they might not be
able to respond to fresh security threats.

 Performance Impact: Network performance can be significantly impacted by firewalls,


particularly if they are set up to analyze or manage a lot of traffic.

 Limited Scalability: Because firewalls are only able to secure one network, businesses
that have several networks must deploy many firewalls, which can be expensive.

 Limited VPN support: Some firewalls might not allow complex VPN features like split
tunneling, which could restrict the experience of a remote worker.

 Cost: Purchasing many devices or add-on features for a firewall system can be
expensive, especially for businesses.

Conclusion
In conclusion, firewalls play a crucial role in safeguarding computers and networks. By
monitoring and controlling incoming and outgoing data, they help prevent unauthorized access
and protect against cyber threats. Using a firewall is a smart way to enhance security and
ensure a safer online experience for users and organizations alike.

You might also like